Cybersecurity Glossary

What is Phishing-Resistant MFA?

Q: Can we require phishing-resistant MFA on just some accounts?

Yes. Use conditional access policies to require stronger MFA only on privileged accounts, specific applications, or when sign-ins originate from unexpected locations.

Phishing-resistant MFA is a category of multi-factor authentication where the second factor cannot be intercepted, replayed, or tricked by a phishing site. The two mainstream forms are FIDO2 hardware security keys and passkeys, both of which cryptographically bind authentication to the real website.

Blocks 99% of password attacks

Required by most cyber insurance

Core to SOC 2, HIPAA, PCI

How It Works

How Phishing-Resistant MFA works

Three-step view of how it operates in practice.

Register

The user registers a hardware key or passkey with the identity provider. A cryptographic key pair is generated — the private key never leaves the device.

Challenge

When the user signs in, the identity provider issues a challenge tied to the real website’s domain.

Sign

The hardware key or passkey signs the challenge locally. A fake phishing site gets a cryptographically invalid response — the attacker can’t replay it.

Phishing-Resistant MFA Variants

Types of phishing-resistant MFA

A clear breakdown of the common variants.

Type

FIDO2 hardware keys

YubiKey, Google Titan, and others. Plug in or tap, touch to confirm. Gold standard.

Most common

Passkeys

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

Certificate-based authentication

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Microsoft Authenticator with passwordless

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why Phishing-Resistant MFA matters for SMBs

Phishing-resistant MFA is a category of multi-factor authentication where the second factor cannot be intercepted, replayed, or tricked by a phishing site.

99%

reduction in account compromise risk when phishing-resistant MFA is enforced on admins

Source: Microsoft Security, 2024

Pitfalls

Common Phishing-Resistant MFA mistakes

Still using SMS for adminsAdmins are attacker target #1. SMS and push notifications can be phished; hardware keys and passkeys cannot.
No recovery plan for lost keysAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
Mandating for everyone overnightStart with admins and finance. Expand to all users once the support workflow is proven.
Skipping user trainingUsers need to understand why the new method matters. "It’s faster, and attackers can’t phish it" is the message.

Common Questions

Phishing-Resistant MFA frequently asked questions

Are passkeys actually phishing-resistant?⌄

Yes. Passkeys use the same underlying FIDO2 technology as hardware keys. They cryptographically bind authentication to the real domain, so a fake site gets nothing useful.

Do we need to buy hardware keys for everyone?⌄

Not necessarily. Start with admins, finance, and executives (the most targeted users). Passkeys on personal devices cover the rest for most organizations.

What if someone loses their YubiKey?⌄

Always register a backup key per user and document the recovery process before rollout. A helpdesk-verified identity check enables temporary fallback.

Does HIPAA or SOC 2 require phishing-resistant MFA?⌄

Not yet explicitly, but insurers and auditors increasingly flag SMS-based MFA as insufficient. Expect phishing-resistant MFA to become a baseline requirement within 1-2 years.

Can we require phishing-resistant MFA on just some accounts?⌄

Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.

Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.

Related Terms

Ready to upgrade beyond SMS-based MFA?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services

No commitment · Local engineers · Response within 1 business day